Anomali ThreatStream v2
Use the Anomali ThreatStream integration to query and submit threats.
Anomali ThreatStream v2 Playbook
- Detonate File - ThreatStream
- Detonate URL - ThreatStream
Use Cases
- Get threat intelligence from the ThreatStream platform.
- Create and manage threat models.
- Import indicators to ThreatStream platform.
- Submit file or URL to sandbox and receive an analysis report.
Configure Anomali ThreatStream v2 on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for Anomali ThreatStream v2.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g., https://www.test.com )
- Username
- API Key
- Threshold of the indicator.
- Trust any certificate (insecure)
- Use system proxy
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get the reputation of an IP address: ip
- Get the reputation of a domain name: domain
- Get the reputation of a file: file
- Get the reputation of a URL: url
- Get the reputation of an email address: threatstream-email-reputation
- Get enrichment data for a domain or IP address: threatstream-get-passive-dns
- Import indicators: threatstream-import-indicator-with-approval
- Get a list of threat models: threatstream-get-model-list
- Get a description of a threat model: threatstream-get-model-description
- Get a list of indicators for a threat model: threatstream-get-indicators-by-model
- Submit a file or URL for detonation: threatstream-submit-to-sandbox
- Get the status of a report: threatstream-get-analysis-status
- Get the report of a submitted file or URL: threatstream-analysis-report
- Get a list of filtered indicators: threatstream-get-indicators
- Add tags to a threat model: threatstream-add-tag-to-model
- Create a threat model: threatstream-create-model
- Update a threat model: threatstream-update-model
- Get a list of supported platforms: threatstream-supported-platforms
1. Get the reputation for an IP address
Checks for and returns the reputation of the given IP address.
Base Command
ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | The IP to check. | Required |
| threshold | If the severity is greater than or equal to the threshold, then the IP address will be considered malicious. This argument will override the default threshold defined as a parameter. | Optional |
| include_inactive | Whether to include results with the status "Inactive". Default is "True". | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | Vendor used to calculate the score. |
| IP.ASN | String | Autonomous System (AS) number associated with the indicator. |
| IP.Address | String | IP address of the indicator. |
| IP.Geo.Country | String | Country associated with the indicator. |
| IP.Geo.Location | String | Longitude and latitude of the IP address. |
| ThreatStream.IP.ASN | String | Autonomous System (AS) number associated with the indicator. |
| ThreatStream.IP.Address | String | IP address of the indicator. |
| ThreatStream.IP.Country | String | Country associated with the indicator. |
| ThreatStream.IP.Type | String | The indicator type. |
| ThreatStream.IP.Modified | String | Time when the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time. |
| ThreatStream.IP.Severity | String | The indicator severity ("very-high", "high", "medium", or "low". |
| ThreatStream.IP.Confidence | String | Level of certainty that an observable is of the reported indicator type. Confidence score can range from 0-100, in increasing order of confidence. |
| ThreatStream.IP.Status | String | Status assigned to the indicator. |
| ThreatStream.IP.Organization | String | Name of the business that owns the IP address associated with the indicator. |
| ThreatStream.IP.Source | String | The source of the indicator. |
| DBotScore.Score | Number | The actual score. |
| IP.Malicious.Vendor | String | Vendor that reported the indicator as malicious. |
Command Example
ip ip=39.41.26.166 using-brand="Anomali ThreatStream v2"
Context Example
{
"IP": {
"Geo": {
"Country": "PK",
"Location": "33.6007,73.0679"
},
"ASN": "45595",
"Address": "39.41.26.166"
},
"DBotScore": {
"Vendor": "TOR Exit Nodes",
"Indicator": "39.41.26.166",
"Score": 2,
"Type": "ip"
},
"ThreatStream.IP": {
"Status": "active",
"Confidence": 96,
"Severity": "low",
"Country": "PK",
"Modified": "2019-06-24T10:10:12.289Z",
"Source": "TOR Exit Nodes",
"Address": "39.41.26.166",
"Organization": "PTCL",
"Type": "ip",
"ASN": "45595"
}
}
Human Readable Output
IP reputation for: 39.41.26.166
| Address | Confidence | Source | Type | Status | Modified | Organization | ASN | Country | Severity |
|---|---|---|---|---|---|---|---|---|---|
| 39.41.26.166 | 96 | TOR Exit Nodes | ip | active | 2019-06-24T10:10:12.289Z | PTCL | 45595 | PK | low |
2. Get the reputation of a domain name
Checks for and returns the reputation of the given domain name.
Base Command
domain
Input
| Argument Name | Description | Required |
|---|---|---|
| domain | The domain name to check. | Required |
| threshold | If severity is greater than or equal to the threshold, then the IP address will be considered malicious. This argument will override the default threshold defined as a parameter. | Optional |
| include_inactive | Whether to include results with status of "Inactive". Default is "True". | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Domain.Name | String | The domain name. |
| Domain.DNS | String | IPs resolved by DNS. |
| Domain.WHOIS.CreationDate | Date | Date the domain was created. The date format is: YYYYMMDDThhmmss. Where "T" denotes the start of the value for time, in UTC time. |
| Domain.WHOIS.UpdatedDate | Date | Date the domain was last updated. The date format is: YYYYMMDDThhmmss. Where "T" denotes the start of the value for time, in UTC time. |
| Domain.WHOIS.Registrant.Name | String | Name of the registrant. |
| Domain.WHOIS.Registrant.Email | String | Email address of the registrant. |
| Domain.WHOIS.Registrant.Phone | String | Phone number of the registrant. |
| ThreatStream.Domain.ASN | String | Autonomous System (AS) number associated with the indicator. |
| ThreatStream.Domain.Address | String | The domain name of the indicator. |
| ThreatStream.Domain.Country | String | Country associated with the indicator. |
| ThreatStream.Domain.Type | String | The indicator type. |
| ThreatStream.Domain.Modified | String | Date and time when the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value |
| for time, in UTC time. | ||
| ThreatStream.Domain.Severity | String | The indicator severity ("very-high", "high", "medium", "low"). |
| ThreatStream.Domain.Confidence | String | Level of certainty that an observable is of the reported indicator type. Confidence score can range from 0-100, in increasing order of confidence. |
| ThreatStream.Domain.Status | String | Status assigned to the indicator. |
| ThreatStream.Domain.Organization | String | Name of the business that owns the IP address associated with the indicator. |
| ThreatStream.Domain.Source | String | The source of the indicator. |
| Domain.Malicious.Vendor | String | Vendor that reported the indicator as malicious. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | Vendor used to calculate the score. |
| DBotScore.Score | Number | The actual score. |
Command Example
domain domain="microsoftfaq.com" using-brand="Anomali ThreatStream v2"
Context Example
{
"ThreatStream.Domain": {
"Status": "active",
"Confidence": 38,
"Severity": "high",
"Country": null,
"Modified": "2019-06-24T08:39:04.644Z",
"Source": "Analyst",
"Address": "microsoftfaq.com",
"Organization": "",
"Type": "domain",
"ASN": ""
},
"Domain": {
"Malicious": {
"Vendor": "ThreatStream"
},
"Name": "microsoftfaq.com",
"DNS": "127.0.0.1",
"WHOIS": {
"UpdatedDate": "2019-06-24T08:39:04.644Z",
"CreationDate": "2019-06-24T08:38:53.246Z",
"Registrant": {
"Phone": "",
"Email": "",
"Name": "Registrant City:"
}
}
},
"DBotScore": {
"Vendor": "Analyst",
"Indicator": "microsoftfaq.com",
"Score": 3,
"Type": "domain"
}
}
Human Readable Output
Domain reputation for: microsoftfaq.com
| Address | Confidence | Source | Type | Status | Modified | Organization | ASN | Country | Severity |
|---|---|---|---|---|---|---|---|---|---|
| microsoftfaq.com | 38 | Analyst | domain | active | 2019-06-24T08:39:04.644Z | high |
3. Get the reputation of a file
Checks for and returns the reputation of the given MD5 hash of the file.
Base Command
file
Input
| Argument Name | Description | Required |
|---|---|---|
| file | The MD5 hash of file to check. | Required |
| threshold | If severity is greater than or equal to the threshold, then the MD5 hash of file will be considered malicious. This argument will override the default threshold defined as a parameter. | Optional |
| include_inactive | Whether to include results with the status "Inactive". Default is "True". | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.MD5 | String | MD5 hash of the file. |
| File.Malicious.Vendor | String | Vendor that reported the indicator as malicious. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | Vendor used to calculate the score. |
| DBotScore.Score | Number | The actual score. |
| ThreatStream.File.Severity | String | The indicator severity ("very-high", "high", "medium", "low"). |
| ThreatStream.File.Confidence | String | Level of certainty that an observable is of the reported indicator type. Confidence score can range from 0-100, in increasing order of confidence. |
| ThreatStream.File.Status | String | Status assigned to the indicator. |
| ThreatStream.File.Type | String | The indicator type. |
| ThreatStream.File.MD5 | String | The MD5 hash of the indicator. |
| ThreatStream.File.Modified | String | Date and time when the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time. |
| ThreatStream.File.Source | String | The source of the indicator. |
Command Example
file file=07df6c1d9a76d81f191be288d463784b using-brand="Anomali ThreatStream v2"
Context Example
{
"DBotScore": {
"Vendor": "URLHaus Hashes",
"Indicator": "07df6c1d9a76d81f191be288d463784b",
"Score": 2,
"Type": "md5"
},
"ThreatStream.File": {
"Status": "active",
"Confidence": 75,
"Severity": "medium",
"Modified": "2019-06-24T10:13:27.284Z",
"Source": "URLHaus Hashes",
"Type": "md5",
"MD5": "07df6c1d9a76d81f191be288d463784b"
},
"File": {
"MD5": "07df6c1d9a76d81f191be288d463784b"
}
}
Human Readable Output
MD5 reputation for: 07df6c1d9a76d81f191be288d463784b
| Confidence | Source | Type | Status | Modified | Severity | MD5 |
|---|---|---|---|---|---|---|
| 75 | URLHaus Hashes | md5 | active | 2019-06-24T10:13:27.284Z | medium | 07df6c1d9a76d81f191be288d463784b |
4. Get the reputation of a URL
Checks for and returns the reputation of the given URL.
Base Command
url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | The URL to check. | Required |
| threshold | If the severity is greater than or equal to the threshold, then the URL will be considered malicious. This argument will override the default threshold defined as a parameter. | Optional |
| include_inactive | Whether to include results with the status "Inactive". Default is "True". | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | Vendor used to calculate the score. |
| DBotScore.Score | Number | The actual score. |
| URL.Data | String | The URL of the indicator. |
| URL.Malicious.Vendor | String | Vendor that reported the indicator as malicious. |
| ThreatStream.URL.Modified | String | Date and time when the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time. |
| ThreatStream.URL.Confidence | String | Level of certainty that an observable is of the reported indicator type. Confidence score can range from 0-100, in increasing order of confidence. |
| ThreatStream.URL.Status | String | The status of the indicator. |
| ThreatStream.URL.Organization | String | Name of the business that owns the IP address associated with the indicator. |
| ThreatStream.URL.Address | String | URL of the indicator. |
| ThreatStream.URL.Country | String | Country associated with the indicator. |
| ThreatStream.URL.Type | String | The indicator type. |
| ThreatStream.URL.Source | String | The source of the indicator. |
| ThreatStream.URL.Severity | String | The indicator severity ("very-high", "high", "medium", or "low"). |
Command Example
url url=http://194.147.35.172/mikey.mpsl using-brand="Anomali ThreatStream v2"
Context Example
{
"URL": {
"Malicious": {
"Vendor": "ThreatStream"
},
"Data": "http://194.147.35.172/mikey.mpsl"
},
"ThreatStream.URL": {
"Status": "active",
"Confidence": 90,
"Severity": "very-high",
"Country": "RU",
"Modified": "2019-06-24T10:10:05.890Z",
"Source": "H3X Tracker",
"Address": "http://194.147.35.172/mikey.mpsl",
"Organization": "LLC Baxet",
"Type": "url"
},
"DBotScore": {
"Vendor": "H3X Tracker",
"Indicator": "http://194.147.35.172/mikey.mpsl",
"Score": 3,
"Type": "url"
}
}
Human Readable Output
URL reputation for: http://194.147.35.172/mikey.mpsl
| Address | Confidence | Source | Type | Status | Modified | Organization | Country | Severity |
|---|---|---|---|---|---|---|---|---|
| http://194.147.35.172/mikey.mpsl | 90 | H3X Tracker | url | active | 2019-06-24T10:10:05.890Z | LLC Baxet | RU | very-high |
5. Get the reputation of an email address
Checks for and returns the reputation of the given email address.
Base Command
threatstream-email-reputation
Input
| Argument Name | Description | Required |
|---|---|---|
| The email address to check. | Required | |
| threshold | If the severity is greater or equal than the threshold, then the IP address will be considered malicious. This argument will override the default threshold defined as a parameter. | Optional |
| include_inactive | Whether to include results with the status "Inactive". Default is "True". | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | String | The tested indicator. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | Vendor used to calculate the score. |
| DBotScore.Score | Number | The actual score. |
| ThreatStream.EmailReputation.Severity | String | The indicator severity ("very-high", "high", "medium", "low"). |
| ThreatStream.EmailReputation.Confidence | String | Level of certainty that an observable is of the reported indicator type. Confidence score can range from 0-100, in increasing order of confidence. |
| ThreatStream.EmailReputation.Status | String | Status assigned to the indicator. |
| ThreatStream.EmailReputation.Type | String | The indicator type. |
| ThreatStream.EmailReputation.Email | String | The email address of the indicator. |
| ThreatStream.EmailReputation.Source | String | The source of the indicator. |
| ThreatStream.EmailReputation.Modified | String | Date and time when the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time. |
Command Example
threatstream-email-reputation email=goo@test.com
Context Example
{
"DBotScore": {
"Vendor": "Anomali Labs Compromised Credentials",
"Indicator": "goo@test.com",
"Score": 2,
"Type": "email"
},
"ThreatStream.EmailReputation": {
"Status": "active",
"Confidence": 100,
"Severity": "low",
"Modified": "2019-06-24T09:50:23.810Z",
"Source": "Anomali Labs Compromised Credentials",
"Type": "email",
"Email": "goo@test.com"
}
}
Human Readable Output
Email reputation for: foo@test.com
| Confidence | Source | Type | Status | Modified | Severity | |
|---|---|---|---|---|---|---|
| 100 | Anomali Labs Compromised Credentials | active | 2019-06-24T09:50:23.810Z | low | foo@test.com |
6. Get enrichment data for a domain or IP address
Returns enrichment data for a domain or an IP address, for available observables.
Base Command
threatstream-get-passive-dns
Input
| Argument Name | Description | Required |
|---|---|---|
| type | The type of passive DNS search ("ip", "domain"). | Required |
| value | Possible values are "IP" or "Domain". | Required |
| limit | Maximum number of results to return. Default is 50. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatStream.PassiveDNS.Domain | String | The domain value. |
| ThreatStream.PassiveDNS.Ip | String | The IP value. |
| ThreatStream.PassiveDNS.Rrtype | String | The Rrtype value. |
| ThreatStream.PassiveDNS.Source | String | The source value. |
| ThreatStream.PassiveDNS.FirstSeen | String | The first seen date. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time. |
| ThreatStream.PassiveDNS.LastSeen | String | The last seen date. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time. |
Command Example
threatstream-get-passive-dns type=domain value=discoverer.blog
Context Example
{
"ThreatStream.PassiveDNS": [
{
"Domain": "discoverer.blog",
"Ip": "184.168.221.52",
"Rrtype": "A",
"Source": "Spamhaus",
"LastSeen": "2019-06-23T08:09:54",
"FirstSeen": "2019-06-23T08:09:54"
},
{
"Domain": "discoverer.blog",
"Ip": "50.63.202.51",
"Rrtype": "A",
"Source": "Spamhaus",
"LastSeen": "2019-06-21T10:33:54",
"FirstSeen": "2019-06-21T10:33:54"
}
]
}
Human Readable Output
Passive DNS enrichment data for: discoverer.blog
| Domain | Ip | Rrtype | Source | FirstSeen | LastSeen |
|---|---|---|---|---|---|
| discoverer.blog | 184.168.221.52 | A | Spamhaus | 2019-06-23T08:09:54 | 2019-06-23T08:09:54 |
| discoverer.blog | 50.63.202.51 | A | Spamhaus | 2019-06-21T10:33:54 | 2019-06-21T10:33:54 |
7. Import indicators
Imports indicators (observables) into ThreatStream. Approval of the imported data is required, using the ThreatStream UI. The data can be imported using one of three methods: plain-text, file, or URL. Only one argument can be used.
Base Command
threatstream-import-indicator-with-approval
Input
| Argument Name | Description | Required |
|---|---|---|
| confidence | The level of certainty that an observable is of the reported indicator type. Default is 50. | Optional |
| classification | Denotes whether the indicator data is public or private to the organization. Default is "private". | Optional |
| threat_type | Type of threat associated with the imported observables. Default is "exploit". | Optional |
| severity | Gauges the potential impact of the indicator type the observable is thought to be associated with. Default is "low". | Optional |
| import_type | The import type of the indicator. | Required |
| import_value | The source of imported data. Can be one of the following: url, data text of file-id of uploaded file to the War Rroom. Supported formats in case of file-id are: CSV, HTML, IOC, JSON, PDF, TXT. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatStream.Import.ImportID | String | The ID of the imported data. |
Command Example
threatstream-import-indicator-with-approval import_type="file-id" import_value=5403@6cf3881e-1cfd-48b5-8fc3-0b9fcfb791f0
Context Example
{
"File": {
"EntryID": "5403@6cf3881e-1cfd-48b5-8fc3-0b9fcfb791f0",
"Extension": "csv",
"Info": "text/csv; charset=utf-8",
"MD5": "5b7ed7973e4deb3c98ee3a4bd6d911af",
"Name": "input.csv",
"SHA1": "055c5002eb5a4d4abe2eb1768e925bfc3a1a763e",
"SHA256": "fd16220852b39e2c8fa51766750e3991670766512836212c799c5a0537e3ef8c",
"SSDeep": "3:Wg8oEIjOH9+KS3qvRBTdRi690oVqzBUGyT0/n:Vx0HgKnTdE6eoVafY8",
"Size": 102,
"Type": "UTF-8 Unicode (with BOM) text, with CRLF line terminators\n"
},
"ThreatStream": {
"Import": {
"ImportID": "894516"
}
}
}
Human Readable Output
The data was imported successfully. The ID of imported job is: 894514
8. Get a list of threat models
Returns a list of threat models.
Base Command
threatstream-get-model-list
Input
| Argument Name | Description | Required |
|---|---|---|
| model | Threat model of the returned list. | Required |
| limit | Limits the list of models size. Specifying limit=0 will return up to a maximum of 1,000 models. In case limit=0 the output won't be set in the context. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatStream.List.Type | String | The type of threat model. |
| ThreatStream.List.Name | String | The name of the threat model. |
| ThreatStream.List.ID | String | The ID of the threat model. |
| ThreatStream.List.CreatedTime | String | Date and time of threat model creation. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time. |
Command Example
threatstream-get-model-list model=actor limit=10
Context Example
{
"ThreatStream.List": [
{
"CreatedTime": "2015-06-29T17:02:01.885011",
"Type": "Actor",
"ID": 2,
"Name": "Pirpi"
},
{
"CreatedTime": "2015-06-30T19:20:05.930697",
"Type": "Actor",
"ID": 3,
"Name": "TeamCyberGhost"
},
{
"CreatedTime": "2015-07-01T18:10:53.241301",
"Type": "Actor",
"ID": 4,
"Name": "Wekby"
},
{
"CreatedTime": "2015-07-01T19:27:06.180602",
"Type": "Actor",
"ID": 5,
"Name": "Axiom"
},
{
"CreatedTime": "2015-07-01T19:52:56.019862",
"Type": "Actor",
"ID": 7,
"Name": "Peace (Group) a/k/a C0d0s0"
},
{
"CreatedTime": "2015-07-01T19:58:50.741202",
"Type": "Actor",
"ID": 8,
"Name": "Nitro"
},
{
"CreatedTime": "2015-07-06T16:06:12.123839",
"Type": "Actor",
"ID": 9,
"Name": "Comment Crew"
},
{
"CreatedTime": "2015-07-07T17:40:04.920012",
"Type": "Actor",
"ID": 10,
"Name": "Comfoo"
},
{
"CreatedTime": "2015-07-07T18:53:12.331221",
"Type": "Actor",
"ID": 11,
"Name": "Syrian Electronic Army"
},
{
"CreatedTime": "2015-07-08T20:59:29.751919",
"Type": "Actor",
"ID": 12,
"Name": "DD4BC"
}
]
}
Human Readable Output
List of Actors
| CreatedTime | ID | Name | Type |
|---|---|---|---|
| 2015-06-29T17:02:01.885011 | 2 | Pirpi | Actor |
| 2015-06-30T19:20:05.930697 | 3 | TeamCyberGhost | Actor |
| 2015-07-01T18:10:53.241301 | 4 | Wekby | Actor |
| 2015-07-01T19:27:06.180602 | 5 | Axiom | Actor |
| 2015-07-01T19:52:56.019862 | 7 | Peace (Group) a/k/a C0d0s0 | Actor |
| 2015-07-01T19:58:50.741202 | 8 | Nitro | Actor |
| 2015-07-06T16:06:12.123839 | 9 | Comment Crew | Actor |
| 2015-07-07T17:40:04.920012 | 10 | Comfoo | Actor |
| 2015-07-07T18:53:12.331221 | 11 | Syrian Electronic Army | Actor |
| 2015-07-08T20:59:29.751919 | 12 | DD4BC | Actor |
9. Get a description of a threat model
Returns an HTML file with a description of the threat model.
Base Command
threatstream-get-model-description
Input
| Argument Name | Description | Required |
|---|---|---|
| model | The threat model. | Required |
| id | The ID of the threat model. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.Name | String | The file name of the model description. |
| File.EntryID | String | The entry ID of the model description. |
Command Example
threatstream-get-model-description model=campaign id=1406
Context Example
{
"File": {
"EntryID": "5384@6cf3881e-1cfd-48b5-8fc3-0b9fcfb791f0",
"Extension": "html",
"Info": "text/html; charset=utf-8",
"MD5": "66eabc1c704fdac429939eb09bc5346f",
"Name": "campaign_1406.html",
"SHA1": "69f3dfe8ae037253e782dd201904aa583d83bcd7",
"SHA256": "49635483962b38a2fd5d50ebbb51b7002ecab3fd23e0f9f99e915f7b33d3f739",
"SSDeep": "96:XZcBqz4xqHC2AwALc+nvJN7GBoBGK1IW7h:XC40W/tixmoLTh",
"Size": 3686,
"Type": "HTML document text, ASCII text, with very long lines, with no line terminators\n"
}
}
10. Get a list of indicators for a threat model
Returns a list of indicators associated with the specified model and ID of the model.
Base Command
threatstream-get-indicators-by-model
Input
| Argument Name | Description | Required |
|---|---|---|
| model | The threat model. | Required |
| id | The ID of the model. | Required |
| limit | Maximum number of results to return. Default is 20. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatStream.Model.ModelType | String | The type of the threat model. |
| ThreatStream.Model.ModelID | String | The ID of the threat model. |
| ThreatStream.Model.Indicators.Value | String | The value of indicator associated with the specified model. |
| ThreatStream.Model.Indicators.ID | String | The ID of indicator associated with the specified model. |
| ThreatStream.Model.Indicators.IType | String | The iType of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Severity | String | The severity of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Confidence | String | The confidence of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Country | String | The country of the indicator associated with the specified model |
| ThreatStream.Model.Indicators.Organization | String | The organization of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.ASN | String | The ASN of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Status | String | The status of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Tags | String | The tags of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Modified | String | The date and time the indicator was last modified. |
| ThreatStream.Model.Indicators.Source | String | The source of the indicator. |
| ThreatStream.Model.Indicators.Type | String | The type of the indicator. |
Command Example
threatstream-get-indicators-by-model id=11885 model=incident
Context Example
{
"ThreatStream.Model": {
"Indicators": [
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.446",
"Value": "417072b246af74647897978902f7d903562e0f6f",
"ID": "50117813617",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.455",
"Value": "d3c65377d39e97ab019f7f00458036ee0c7509a7",
"ID": "50117813616",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.462",
"Value": "5f51084a4b81b40a8fcf485b0808f97ba3b0f6af",
"ID": "50117813615",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.469",
"Value": "220a8eacd212ecc5a55d538cb964e742acf039c6",
"ID": "50117813614",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.477",
"Value": "a16ef7d96a72a24e2a645d5e3758c7d8e6469a55",
"ID": "50117813612",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.485",
"Value": "275e76fc462b865fe1af32f5f15b41a37496dd97",
"ID": "50117813611",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.493",
"Value": "df4b8c4b485d916c3cadd963f91f7fa9f509723f",
"ID": "50117813610",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.500",
"Value": "66eccea3e8901f6d5151b49bca53c126f086e437",
"ID": "50117813609",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.507",
"Value": "3d90630ff6c151fc2659a579de8d204d1c2f841a",
"ID": "50117813608",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.513",
"Value": "a6d14b104744188f80c6c6b368b589e0bd361607",
"ID": "50117813607",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.520",
"Value": "e3f183e67c818f4e693b69748962eecda53f7f88",
"ID": "50117813606",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.527",
"Value": "f326479a4aacc2aaf86b364b78ed5b1b0def1fbe",
"ID": "50117813605",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.534",
"Value": "c4d1fb784fcd252d13058dbb947645a902fc8935",
"ID": "50117813604",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.541",
"Value": "fb4a4143d4f32b0af4c2f6f59c8d91504d670b41",
"ID": "50117813603",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.548",
"Value": "400e4f843ff93df95145554b2d574a9abf24653f",
"ID": "50117813602",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.555",
"Value": "f82d18656341793c0a6b9204a68605232f0c39e7",
"ID": "50117813601",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.562",
"Value": "c33fe4c286845a175ee0d83db6d234fe24dd2864",
"ID": "50117813600",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.569",
"Value": "d9294b86b3976ddf89b66b8051ccf98cfae2e312",
"ID": "50117813599",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.576",
"Value": "9fc71853d3e6ac843bd36ce9297e398507e5b2bd",
"ID": "50117813597",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
},
{
"Status": "active",
"Confidence": 100,
"IType": "mal_md5",
"Severity": "very-high",
"Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization",
"Country": null,
"Modified": "2017-09-25T11:43:54.583",
"Value": "c0ad9c242c533effd50b51e94874514a5b9f2219",
"ID": "50117813596",
"Source": "ThreatStream",
"Organization": "",
"Type": "md5",
"ASN": ""
}
],
"ModelType": "Incident",
"ModelID": "11885"
}
}
Human Readable Output
Indicators list for Threat Model Incident with id 11885
| IType | Value | ID | Confidence | Source | Type | Status | Tags | Modified | Organization | ASN | Country | Severity |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| mal_md5 | 417072b246af74647897978902f7d903562e0f6f | 50117813617 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.446 | very-high | |||
| mal_md5 | d3c65377d39e97ab019f7f00458036ee0c7509a7 | 50117813616 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.455 | very-high | |||
| mal_md5 | 5f51084a4b81b40a8fcf485b0808f97ba3b0f6af | 50117813615 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.462 | very-high | |||
| mal_md5 | 220a8eacd212ecc5a55d538cb964e742acf039c6 | 50117813614 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.469 | very-high | |||
| mal_md5 | a16ef7d96a72a24e2a645d5e3758c7d8e6469a55 | 50117813612 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.477 | very-high | |||
| mal_md5 | 275e76fc462b865fe1af32f5f15b41a37496dd97 | 50117813611 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.485 | very-high | |||
| mal_md5 | df4b8c4b485d916c3cadd963f91f7fa9f509723f | 50117813610 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.493 | very-high | |||
| mal_md5 | 66eccea3e8901f6d5151b49bca53c126f086e437 | 50117813609 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.500 | very-high | |||
| mal_md5 | 3d90630ff6c151fc2659a579de8d204d1c2f841a | 50117813608 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.507 | very-high | |||
| mal_md5 | a6d14b104744188f80c6c6b368b589e0bd361607 | 50117813607 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.513 | very-high | |||
| mal_md5 | e3f183e67c818f4e693b69748962eecda53f7f88 | 50117813606 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.520 | very-high | |||
| mal_md5 | f326479a4aacc2aaf86b364b78ed5b1b0def1fbe | 50117813605 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.527 | very-high | |||
| mal_md5 | c4d1fb784fcd252d13058dbb947645a902fc8935 | 50117813604 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.534 | very-high | |||
| mal_md5 | fb4a4143d4f32b0af4c2f6f59c8d91504d670b41 | 50117813603 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.541 | very-high | |||
| mal_md5 | 400e4f843ff93df95145554b2d574a9abf24653f | 50117813602 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.548 | very-high | |||
| mal_md5 | f82d18656341793c0a6b9204a68605232f0c39e7 | 50117813601 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.555 | very-high | |||
| mal_md5 | c33fe4c286845a175ee0d83db6d234fe24dd2864 | 50117813600 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.562 | very-high | |||
| mal_md5 | d9294b86b3976ddf89b66b8051ccf98cfae2e312 | 50117813599 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.569 | very-high | |||
| mal_md5 | 9fc71853d3e6ac843bd36ce9297e398507e5b2bd | 50117813597 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.576 | very-high | |||
| mal_md5 | c0ad9c242c533effd50b51e94874514a5b9f2219 | 50117813596 | 100 | ThreatStream | md5 | active | FINSPY,FinSpy,community-threat-briefing,Weaponization | 2017-09-25T11:43:54.583 | very-high |
11. Submit a file or URL for detonation
Submits a file or URL to the ThreatStream-hosted Sandbox for detonation.
Base Command
threatstream-submit-to-sandbox
Input
| Argument Name | Description | Required |
|---|---|---|
| submission_classification | Classification of the sandbox submission. | Optional |
| report_platform | Platform on which the submitted URL or file will be run. To obtain a list supported platforms run the threatstream-get-sandbox-platforms command. | Optional |
| submission_type | The detonation type ("file" or "url"). | Required |
| submission_value | The submission value. Possible values are a valid URL or a file ID that was uploaded to the War Room to detonate. | Required |
| premium_sandbox | Specifies whether the premium sandbox should be used for detonation. Default is "false". | Optional |
| detail | A CSV list of additional details for the indicator. This information is displayed in the Tag column of the ThreatStream UI. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatStream.Analysis.ReportID | String | The report ID that was submitted to the sandbox. |
| ThreatStream.Analysis.Status | String | The analysis status. |
| ThreatStream.Analysis.Platform | String | The platform of the submission submitted to the sandbox. |
Command Example
threatstream-submit-to-sandbox submission_type=file submission_value=5358@6cf3881e-1cfd-48b5-8fc3-0b9fcfb791f0 premium_sandbox=false report_platform=WINDOWS7
Context Example
{
"File": {
"EntryID": "5358@6cf3881e-1cfd-48b5-8fc3-0b9fcfb791f0",
"Extension": "png",
"Info": "image/png",
"MD5": "a36544c75d1253d8dd32070908adebd0",
"Name": "input_file.png",
"SHA1": "15868fbe28e34f601b4e07b0f356ecb1f3a14876",
"SHA256": "5126eb938b3c2dc53837d4805df01c8522a3bd4e5e77e9bc4f825b9ee178e6ab",
"SSDeep": "98304:pKOjdLh3d35gcNMjnN+FOLEdhVb2t6lLPP9nuyxJ4iQzxKxOduLT/GzxS3UvtT:pHhhvglN+F+GwUlLPP9PxnQzxKxOdEUR",
"Size": 4938234,
"Type": "PNG image data, 2572 x 1309, 8-bit/color RGBA, non-interlaced\n"
},
"ThreatStream": {
"Analysis": {
"Platform": "WINDOWS7",
"ReportID": 422662,
"Status": "processing"
}
}
}
Human Readable Output
The submission info for 5358@6cf3881e-1cfd-48b5-8fc3-0b9fcfb791f0
| ReportID | Status | Platform |
|---|---|---|
| 422662 | processing | WINDOWS7 |
12. Get the status of a report
Returns the current status of the report that was submitted to the sandbox. The report ID is returned from the
threatstream-submit-to-sandbox
command.
Base Command
threatstream-get-analysis-status
Input
| Argument Name | Description | Required |
|---|---|---|
| report_id | Report ID for which to check the status. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatStream.Analysis.ReportID | String | The report ID of the file or URL that was detonated to sandbox. |
| ThreatStream.Analysis.Status | String | The report status of the file or URL that was detonated in the sandbox. |
| ThreatStream.Analysis.Platform | String | The platform that was used for detonation. |
| ThreatStream.Analysis.Verdict | String | The report verdict of the file or URL that was detonated in the sandbox. The verdict will remain "benign" until detonation is complete. |
Command Example
threatstream-get-analysis-status report_id=422662
Context Example
{
"ThreatStream": {
"Analysis": {
"Platform": "WINDOWS7",
"ReportID": "422662",
"Status": "processing",
"Verdict": "Benign"
}
}
}
Human Readable Output
The analysis status for id 422662
| ReportID | Status | Platform | Verdict |
|---|---|---|---|
| 422662 | processing | WINDOWS7 | Benign |
13. Get the report of a submitted file or URL
Returns the report of a file or URL that was submitted to the sandbox.
Base Command
threatstream-analysis-report
Input
| Argument Name | Description | Required |
|---|---|---|
| report_id | Report ID to return. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatStream.Analysis.ReportID | String | The ID of the report submitted to the sandbox. |
| ThreatStream.Analysis.Category | String | The report category. |
| ThreatStream.Analysis.Started | String | Detonation start time. |
| ThreatStream.Analysis.Completed | String | Detonation completion time. |
| ThreatStream.Analysis.Duration | Number | Duration of the detonation (in seconds). |
| ThreatStream.Analysis.VmName | String | The name of the VM. |
| ThreatStream.Analysis.VmID | String | The ID of the VM. |
| ThreatStream.Analysis.Network.UdpSource | String | The source of UDP. |
| ThreatStream.Analysis.Network.UdpDestination | String | The destination of UDP. |
| ThreatStream.Analysis.Network.UdpPort | String | The port of the UDP. |
| ThreatStream.Analysis.Network.IcmpSource | String | The ICMP source. |
| ThreatStream.Analysis.Network.IcmpDestination | String | The destination of ICMP. |
| ThreatStream.Analysis.Network.IcmpPort | String | The port of the ICMP. |
| ThreatStream.Analysis.Network.TcpSource | String | The source of TCP. |
| ThreatStream.Analysis.Network.TcpDestination | String | The destination of TCP. |
| ThreatStream.Analysis.Network.TcpPort | String | The port of TCP. |
| ThreatStream.Analysis.Network.HttpSource | String | The source of HTTP. |
| ThreatStream.Analysis.Network.HttpDestinaton | String | The destination of HTTP. |
| ThreatStream.Analysis.Network.HttpPort | String | The port of HTTP. |
| ThreatStream.Analysis.Network.HttpsSource | String | The source of HTTPS. |
| ThreatStream.Analysis.Network.HttpsDestinaton | String | The destination of HTTPS. |
| ThreatStream.Analysis.Network.HttpsPort | String | The port of HTTPS. |
| ThreatStream.Analysis.Network.Hosts | String | The hosts of network analysis. |
| ThreatStream.Analysis.Verdict | String | The verdict of the sandbox detonation. |
Command Example
threatstream-analysis-report report_id=413336
Context Example
{
"ThreatStream": {
"Analysis": {
"Category": "File",
"Completed": "2019-05-30 14:06:33",
"Duration": 68,
"Network": [
{
"UdpDestination": "8.8.8.8",
"UdpPort": 53,
"UdpSource": "192.168.2.4"
},
{
"UdpDestination": "192.168.2.4",
"UdpPort": 65324,
"UdpSource": "8.8.8.8"
},
{
"UdpDestination": "192.168.2.4",
"UdpPort": 54896,
"UdpSource": "8.8.8.8"
}
],
"ReportID": "413336",
"Started": "2019-05-30 14:05:25",
"Verdict": "Benign",
"VmID": "",
"VmName": ""
}
}
}
Human Readable Output
Report 413336 analysis results
| Category | Started | Completed | Duration | VmName | VmID | ReportID | Verdict |
|---|---|---|---|---|---|---|---|
| File | 2019-05-30 14:05:25 | 2019-05-30 14:06:33 | 68 | 413336 | Benign |
14. Get a list of filtered indicators
Return filtered indicators from ThreatStream. If a query is defined, it overrides all of the arguments that were passed to the command.
Base Command
threatstream-get-indicators
Input
| Argument Name | Description | Required |
|---|---|---|
| query | Anomali Observable Search Filter Language query to filter indicators results. If a query is passed as an argument, it overrides all other arguments. | Optional |
| asn | Autonomous System (AS) number associated with the indicator. | Optional |
| confidence |
Level of certainty that an observable
is of the reported indicator type. Confidence scores range from 0-100, in increasing order of confidence, and is assigned by ThreatStream based on several factors. |
Optional |
| country | Country associated with the indicator. | Optional |
| created_ts |
When the indicator was first seen on
the ThreatStream cloud platform. Date must be specified in this format: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time. For example, 2014-10-02T20:44:35. |
Optional |
| id | Unique ID for the indicator. | Optional |
| is_public | Classification of the indicator. | Optional |
| indicator_severity | Severity assigned to the indicator by ThreatStream. | Optional |
| org | Registered owner (organization) of the IP address associated with the indicator. | Optional |
| status | Status assigned to the indicator. | Optional |
| tags_name | Tag assigned to the indicator. | Optional |
| type | Type of indicator. | Optional |
| indicator_value | Value of the indicator. | Optional |
| limit | Maximum number of results to return from ThreatStream. Default is 20. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatStream.Indicators.IType | String | The indicator type. |
| ThreatStream.Indicators.Modified | String | Date and time when the indicator was last updated on the ThreatStream. Format: YYYYMMDDThhmmss, where T denotes the start of the value |
| for time, in UTC time. | ||
| ThreatStream.Indicators.Confidence | String | Level of certainty that an observable is of the reported indicator type. |
| ThreatStream.Indicators.Value | String | The indicator value. |
| ThreatStream.Indicators.Status | String | The indicator status. |
| ThreatStream.Indicators.Organization | String | Registered owner (organization) of the IP address associated with the indicator. |
| ThreatStream.Indicators.Country | String | Country associated with the indicator. |
| ThreatStream.Indicators.Tags | String | Tag assigned to the indicator. |
| ThreatStream.Indicators.Source | String | The source of the indicator. |
| ThreatStream.Indicators.ID | String | The ID of the indicator. |
| ThreatStream.Indicators.ASN | String | Autonomous System (AS) number associated with the indicator. |
| ThreatStream.Indicators.Severity | String | The severity assigned to the indicator. |
Command Example
threatstream-get-indicators type=ip status=active asn=4837 country=CN confidence=84 indicator_severity=medium org="China Unicom Guangxi" limit=5
Context Example
{
"ThreatStream.Indicators": [
{
"Status": "active",
"Confidence": 84,
"IType": "scan_ip",
"Severity": "medium",
"Tags": null,
"Country": "CN",
"Modified": "2019-06-24T10:19:52.077Z",
"Value": "121.31.166.99",
"ID": 53042398831,
"Source": "Anomali Labs MHN",
"Organization": "China Unicom Guangxi",
"Type": "ip",
"ASN": "4837"
},
{
"Status": "active",
"Confidence": 84,
"IType": "scan_ip",
"Severity": "medium",
"Tags": "port-1433,suricata,TCP",
"Country": "CN",
"Modified": "2019-06-24T09:51:04.804Z",
"Value": "121.31.166.99",
"ID": 53042253345,
"Source": "Anomali Labs MHN Tagged",
"Organization": "China Unicom Guangxi",
"Type": "ip",
"ASN": "4837"
},
{
"Status": "active",
"Confidence": 84,
"IType": "scan_ip",
"Severity": "medium",
"Tags": null,
"Country": "CN",
"Modified": "2019-06-24T06:08:12.585Z",
"Value": "182.88.27.168",
"ID": 53016547378,
"Source": "DShield Scanning IPs",
"Organization": "China Unicom Guangxi",
"Type": "ip",
"ASN": "4837"
},
{
"Status": "active",
"Confidence": 84,
"IType": "scan_ip",
"Severity": "medium",
"Tags": "AlienVault,OTX",
"Country": "CN",
"Modified": "2019-06-23T19:38:05.782Z",
"Value": "182.91.129.165",
"ID": 53038621037,
"Source": "Alien Vault OTX Malicious IPs",
"Organization": "China Unicom Guangxi",
"Type": "ip",
"ASN": "4837"
},
{
"Status": "active",
"Confidence": 84,
"IType": "scan_ip",
"Severity": "medium",
"Tags": null,
"Country": "CN",
"Modified": "2019-06-23T17:52:51.165Z",
"Value": "182.91.129.207",
"ID": 52970998522,
"Source": "DShield Scanning IPs",
"Organization": "China Unicom Guangxi",
"Type": "ip",
"ASN": "4837"
}
]
}
Human Readable Output
The indicators results
| IType | Value | Confidence | ID | Source | Type | Status | Tags | Modified | Organization | ASN | Country | Severity |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| scan_ip | 121.31.166.99 | 84 | 53042398831 | Anomali Labs MHN | ip | active | 2019-06-24T10:19:52.077Z | China Unicom Guangxi | 4837 | CN | medium | |
| scan_ip | 121.31.166.99 | 84 | 53042253345 | Anomali Labs MHN Tagged | ip | active | port-1433,suricata,TCP | 2019-06-24T09:51:04.804Z | China Unicom Guangxi | 4837 | CN | medium |
| scan_ip | 182.88.27.168 | 84 | 53016547378 | DShield Scanning IPs | ip | active | 2019-06-24T06:08:12.585Z | China Unicom Guangxi | 4837 | CN | medium | |
| scan_ip | 182.91.129.165 | 84 | 53038621037 | Alien Vault OTX Malicious IPs | ip | active | AlienVault,OTX | 2019-06-23T19:38:05.782Z | China Unicom Guangxi | 4837 | CN | medium |
| scan_ip | 182.91.129.207 | 84 | 52970998522 | DShield Scanning IPs | ip | active | 2019-06-23T17:52:51.165Z | China Unicom Guangxi | 4837 | CN | medium |
15. Add tags to a threat model
Add tags to intelligence for purposes of filtering for related entities.
Base Command
threatstream-add-tag-to-model
Input
| Argument Name | Description | Required |
|---|---|---|
| model | The type of threat model entity on which to add the tag. Default is "intelligence" (indicator). | Optional |
| tags | A CSV list of tags applied to the specified threat model entities or observable. | Required |
| model_id | The ID of the model on which to add the tag. | Required |
Context Output
There is no context output for this command.
Command Example
threatstream-add-tag-to-model model=intelligence model_id=51375607503 tags="suspicious,not valid"
Human Readable Output
Added successfully tags: ['suspicious', 'not valid'] to intelligence with 51375607503
16. Create a threat model
Creates a threat model with the specified parameters.
Base Command
threatstream-create-model
Input
| Argument Name | Description | Required |
|---|---|---|
| model | The type of threat model to create. | Required |
| name | The name of the threat model to create. | Required |
| is_public | The scope of threat model visibility. | Optional |
| tlp | Traffic Light Protocol designation for the threat model. | Optional |
| tags | A CSV list of tags. | Optional |
| intelligence | A CSV list of indicators IDs associated with the threat model on the ThreatStream platform. | Optional |
| description | The description of the threat model. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatStream.Model.ModelType | String | The type of the threat model. |
| ThreatStream.Model.ModelID | String | The ID of the threat model. |
| ThreatStream.Model.Indicators.Value | String | The value of indicator associated with the specified model. |
| ThreatStream.Model.Indicators.ID | String | The ID of indicator associated with the specified model. |
| ThreatStream.Model.Indicators.IType | String | The iType of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Severity | String | The severity of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Confidence | String | The confidence of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Country | String | The country of the indicator associated with the specified model |
| ThreatStream.Model.Indicators.Organization | String | The organization of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.ASN | String | The ASN of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Status | String | The status of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Tags | String | The tags of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Modified | String | The date and time the indicator was last modified. |
| ThreatStream.Model.Indicators.Source | String | The source of the indicator. |
| ThreatStream.Model.Indicators.Type | String | The indicator type. |
Command Example
threatstream-create-model model=actor name="New_Created_Actor" description="Description of the actor threat model" intelligence=53042425466,53042425532,53042425520 tags="new actor,test" tlp=red
Context Example
{
"ThreatStream.Model": {
"Indicators": [
{
"Status": "active",
"Confidence": 86,
"IType": "suspicious_domain",
"Severity": "high",
"Tags": "Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech",
"Country": "US",
"Modified": "2019-06-24T10:51:16.384",
"Value": "chatbotshq.com",
"ID": "53042425532",
"Source": "Analyst",
"Organization": "Hostinger International Limited",
"Type": "domain",
"ASN": "12769"
},
{
"Status": "active",
"Confidence": 85,
"IType": "suspicious_domain",
"Severity": "high",
"Tags": "Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech",
"Country": "US",
"Modified": "2019-06-24T10:51:16.589",
"Value": "marketshq.com",
"ID": "53042425520",
"Source": "Analyst",
"Organization": "GoDaddy.com, LLC",
"Type": "domain",
"ASN": "26496"
},
{
"Status": "active",
"Confidence": 77,
"IType": "suspicious_domain",
"Severity": "high",
"Tags": "Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech",
"Country": "US",
"Modified": "2019-06-24T10:54:31.318",
"Value": "leanomalie.com",
"ID": "53042425466",
"Source": "Analyst",
"Organization": "GoDaddy.com, LLC",
"Type": "domain",
"ASN": "26496"
}
],
"ModelType": "Actor",
"ModelID": 26697
}
}
Human Readable Output
Indicators list for Threat Model Actor with id 26697
| IType | Value | ID | Confidence | Source | Type | Status | Tags | Modified | Organization | ASN | Country | Severity |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| suspicious_domain | chatbotshq.com | 53042425532 | 86 | Analyst | domain | active | Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech | 2019-06-24T10:51:16.384 | Hostinger International Limited | 12769 | US | high |
| suspicious_domain | marketshq.com | 53042425520 | 85 | Analyst | domain | active | Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech | 2019-06-24T10:51:16.589 | GoDaddy.com, LLC | 26496 | US | high |
| suspicious_domain | leanomalie.com | 53042425466 | 77 | Analyst | domain | active | Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech | 2019-06-24T10:54:31.318 | GoDaddy.com, LLC | 26496 | US | high |
17. Update a threat model
Updates a threat model with specific parameters. If one or more optional parameters are defined, the command overrides previous data stored in ThreatStream.
Base Command
threatstream-update-model
Input
| Argument Name | Description | Required |
|---|---|---|
| model | The type of threat model to update. | Required |
| model_id | The ID of the threat model to update. | Required |
| name | The name of the threat model to update. | Optional |
| is_public | The scope of threat model visibility. | Optional |
| tlp | Traffic Light Protocol designation for the threat model. | Optional |
| tags | A CSV list of tags. | Optional |
| intelligence | A CSV list of indicators IDs associated with the threat model on the ThreatStream platform. | Optional |
| description | The description of the threat model. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatStream.Model.ModelType | String | The type of threat model. |
| ThreatStream.Model.ModelID | String | The ID of the threat model. |
| ThreatStream.Model.Indicators.Value | String | The value of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.ID | String | The ID of indicator associated with the specified model. |
| ThreatStream.Model.Indicators.IType | String | The iType of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Severity | String | The severity of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Confidence | String | The confidence of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Country | String | The country of the indicator associated with the specified model |
| ThreatStream.Model.Indicators.Organization | String | The organization of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.ASN | String | The ASN of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Status | String | The status of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Tags | String | The tags of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Modified | String | The date and time the indicator was last modified. |
| ThreatStream.Model.Indicators.Source | String | The source of the inidicator. |
| ThreatStream.Model.Indicators.Type | String | The type of the inidicator. |
Command Example
threatstream-update-model model=actor model_id=26697 intelligence=53042694591 tags="updated tag,gone"
Context Example
{
"ThreatStream": {
"Model": {
"Indicators": [
{
"ASN": "",
"Confidence": 36,
"Country": "CA",
"ID": "53042694591",
"IType": "exploit_ip",
"Modified": "2019-06-24T11:28:31.185",
"Organization": "OVH Hosting",
"Severity": "high",
"Source": "Analyst",
"Status": "active",
"Tags": "HoneyDB",
"Type": "ip",
"Value": "54.39.20.14"
}
],
"ModelID": "26697",
"ModelType": "Actor"
}
}
}
Human Readable Output
Indicators list for Threat Model Actor with id 26697
| IType | Value | ID | Confidence | Source | Type | Status | Tags | Modified | Organization | ASN | Country | Severity |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| exploit_ip | 54.39.20.14 | 53042694591 | 36 | Analyst | ip | active | HoneyDB | 2019-06-24T11:28:31.185 | OVH Hosting | CA | high |
18. Get a list of supported platforms
Returns list of supported platforms for default or premium sandbox
Base Command
threatstream-supported-platforms
Input
| Argument Name | Description | Required |
|---|---|---|
| sandbox_type | The type of sandbox ("default" or "premium"). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatStream.PremiumPlatforms.Name | String | Name of the supported platform for premium sandbox. |
| ThreatStream.PremiumPlatforms.Types | String | Type of supported submissions for premium sandbox. |
| ThreatStream.PremiumPlatforms.Label | String | The display name of the supported platform of premium sandbox. |
| ThreatStream.DefaultPlatforms.Name | String | Name of the supported platform for standard sandbox. |
| ThreatStream.DefaultPlatforms.Types | String | Type of supported submissions for standard sandbox. |
| ThreatStream.DefaultPlatforms.Label | String | The display name of the supported platform of standard sandbox. |
Command Example
threatstream-supported-platforms sandbox_type=default
Context Example
{
"ThreatStream.DefaultPlatforms": [
{
"Name": "WINDOWSXP",
"Types": [
"file",
"url"
],
"Label": "Windows XP"
},
{
"Name": "WINDOWS7",
"Types": [
"file",
"url"
],
"Label": "Windows 7"
},
{
"Name": "ALL",
"Types": [
"file",
"url"
],
"Label": "All"
}
]
}
Human Readable Output
Supported platforms for default sandbox
| Name | Types | Label |
|---|---|---|
| WINDOWSXP |
file,
url |
Windows XP |
| WINDOWS7 |
file,
url |
Windows 7 |
| ALL |
file,
url |
All |